TO: 


Of: 


ICO. 


Information Commissioner’s Office 


DATA PROTECTION ACT 1998 


SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER 


MONETARY PENALTY NOTICE 


SportsDirect.com Retail Limited 


Unit A, Brook Park East, Shirebrook NG20 8RY 


The Information Commissioner (“the Commissioner”) has decided to 
issue SportsDirect.com Retail Limited (“SportsDirect”) with a monetary 
penalty under section 55A of the Data Protection Act 1998 (“DPA”). The 
penalty is in relation to a serious contravention of Regulation 22 of the 
Privacy and Electronic Communications (EC Directive) Regulations 2003 
(“PECR”). 


This notice explains the Commissioner's decision. 


Legal framework 


SportsDirect, whose registered office address is given above 
(Companies House Registration Number: 03406347) is the organisation 
stated in this notice to have transmitted unsolicited communications by 
means of electronic mail to individual subscribers for the purposes of 


direct marketing contrary to regulation 22 of PECR. 


Regulation 22 of PECR states: 
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"(1) This regulation applies to the transmission of unsolicited 


communications by means of electronic mail to individual 


subscribers. 


(2) Except in the circumstances referred to in paragraph (3), a person 
Shall neither transmit, nor instigate the transmission of, unsolicited 
communications for the purposes of direct marketing by means of 
electronic mail unless the recipient of the electronic mail has 
previously notified the sender that he consents for the time being 
to such communications being sent by, or at the instigation of, the 


sender. 


(3) A person may send or instigate the sending of electronic mail for 


the purposes of direct marketing where— 


(a) that person has obtained the contact details of the recipient 
of that electronic mail in the course of the sale or 
negotiations for the sale of a product or service to that 


recipient; 


(b) the direct marketing is in respect of that person’s similar 


products and services only; and 


(c) the recipient has been given a simple means of refusing 
(free of charge except for the costs of the transmission of 
the refusal) the use of his contact details for the purposes 
of such direct marketing, at the time that the details were 
initially collected, and, where he did not initially refuse the 
use of the details, at the time of each subsequent 


communication. 


(4) A subscriber shall not permit his line to be used in contravention of 


paragraph (2).” 
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Section 122(5) of the Data Protection Act 2018 “DPA18” defines direct 
marketing as “the communication (by whatever means) of any 
advertising material which is directed to particular individuals”. This 


definition also applies for the purposes of PECR (see regulation 2(2) 
PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18). 


Consent in PECR is now defined, from 29 March 2019, by reference to 
the concept of consent in Regulation 2016/679 (“the GDPR”): 
regulation 8(2) of the Data Protection, Privacy and Electronic 
Communications (Amendments etc) (EU Exit) Regulations 2019. Article 
4(11) of the GDPR sets out the following definition: “'consent’ of the 
data subject means any freely given, specific, informed and 
unambiguous indication of the data subject's wishes by which he or 
she, by a statement or by a clear affirmative action, signifies 


agreement to the processing of personal data relating to him or her”. 


Recital 32 of the GDPR materially states that “When the processing has 
multiple purposes, consent should be given for all of them”. Recital 42 
materially provides that "For consent to be informed, the data subject 
should be aware at least of the identity of the controller”. Recital 43 
materially states that “Consent is presumed not to be freely given if it 
does not allow separate consent to be given to different personal data 


processing operations despite it being appropriate in the individual case”. 


“Individual” is defined in regulation 2(1) of PECR as “a living individual 


and includes an unincorporated body of such individuals”. 


A “subscriber” is defined in regulation 2(1) of PECR as “a person who is 
a party to a contract with a provider of public electronic 


communications services for the supply of such services”. 
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“Electronic mail” is defined in regulation 2(1) of PECR as “any text, 
voice, sound or image message sent over a public electronic 
communications network which can be stored in the network or in the 


recipient’s terminal equipment until it is collected by the recipient and 


includes messages sent using a short message service”. 


The term "soft opt-in" is used to describe the rule set out in in 
Regulation 22(3) of PECR. In essence, an organisation may be able to 
e-mail its existing customers even if they haven't specifically consented 
to electronic mail. The soft opt-in rule can only be relied upon by the 


organisation that collected the contact details. 


Section 55A of the DPA (as applied to PECR cases by Schedule 1 to 


PECR, as variously amended) states: 


"(1) The Commissioner may serve a person with a monetary penalty if 


the Commissioner is satisfied that - 


(a) there has been a serious contravention of the requirements 
of the Privacy and Electronic Communications (EC 


Directive) Regulations 2003 by the person, 
(b) subsection (2) or (3) applies. 
(2) This subsection applies if the contravention was deliberate. 
(3) This subsection applies if the person - 


(a) knew or ought to have known that there was a risk that the 


contravention would occur, but 


(b) failed to take reasonable steps to prevent the 


contravention. ” 


The Commissioner has issued statutory guidance under section 55C (1) 


of the DPA about the issuing of monetary penalties that has been 
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published on the ICO’s website. The Data Protection (Monetary 
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe 


that the amount of any penalty determined by the Commissioner must 
not exceed £500,000. 


PECR were enacted to protect the individual’s fundamental right to 
privacy in the electronic communications sector. PECR were 
subsequently amended and strengthened. The Commissioner will 
interpret PECR in a way which is consistent with the Regulations’ 
overall aim of ensuring high levels of protection for individuals’ privacy 


rights. 


The provisions of the DPA remain in force for the purposes of PECR 
notwithstanding the introduction of the DPA18: see paragraph 58(1) of 
Schedule 20 to the DPA18. 


Background to the case 


SportsDirect came to the attention of the Commissioner due to 
complaints reported via the ICO’s online reporting tool. The 
Commissioner received twelve complaints about unsolicited 


communications between 21 December 2019 and 16 February 2020. 


The Commissioner sent an initial investigation letter to SportsDirect on 
25 February 2020 setting out her concerns regarding SportsDirect’s 
compliance with PECR and asking for, inter alia, the source of its data, 
and evidence of the consent relied on in the course of its direct 
marketing campaign between 21 December 2019 and 16 February 
2020. 
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SportsDirect provided a response on 13 March 2020. This response 
explained that all data used to engage in its direct marketing is 
obtained directly from customers; and provided details of the ways in 
which it obtained consent to engage in its direct marketing campaigns. 
In relation to the complaints which had been received, SportsDirect 


indicated that these recipients were part of a “re-engagement 


campaign”, and stated: 


“The ecommerce team determined that the data subjects in the aged 
data set had not unsubscribed from receiving email marketing and 
would only send emails with content that provided offers on multi-buy 
products or free delivery/click&collect, along with the usual unsubscribe 
link. This was done with the expectation that data subjects would 
either not engage with the email, choose to unsubscribe from future 
emails or view those offers and emails positively and engage with 


Sports Direct. 


Where a data subject unsubscribed, this would be processed in the 
normal way, and where they did not engage with the emails after a 
reasonable period, the data would be removed from or anonymised 


within the marketing database. 


Having considered the proposed approach and likely impact of the re- 
engagement campaign, the ecommerce team took the decision to run a 
re-engagement campaign with that aged data set with the objectives of 
(1) reducing the amount of data held in the marketing database and 
(2) connecting with customers who had not engaged with Sports Direct 


within the normal engagement criteria.” 


SportsDirect explained that "...the Sports Direct ecommerce team 


analysed the Sports Direct marketing database and identified a 
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category of data that showed as being opted in to receive email 


marketing but had not been sent any marketing emails.". This category 


of data has been referred to as the ‘aged data / aged dataset’. 


Regarding evidence of consent, SportsDirect stated that “none of the 
complainants were recorded as being opted out of marketing emails at 
the time their details were collected and had not unsubscribed to 
marketing emails at the time when the emails were sent”. It also 
provided a simple breakdown of the “lawful basis” relied upon for each 


complainant (i.e. soft opt-in; or consent). 


The Commissioner sent further enquiries to SportsDirect on 2 April 
2020, specifically seeking confirmation of the number of emails which 
were sent between 21 December 2019 and 16 February 2020, in 
addition to further information regarding the consent being relied upon 


and the frequency of the direct marketing emails being sent. 


SportsDirect requested an extension of two months for its response in 
light of the impact of the COVID-19 pandemic, which the Commissioner 


agreed to. 


SportsDirect responded on 12 June 2020 in line with the agreed 
extension period to provide answers to the Commissioner’s most recent 
questions. Within this response it was confirmed that between 21 
December 2019 and 16 February 2020 there were a total of 
459,882,124 emails sent by SportsDirect, with 2,948,865 of those 
relating specifically to the “re-engagement campaign”. SportsDirect 
provided percentages for the number of those sent messages which 
had been received by a subscriber; in relation to the “re-engagement 


campaign” it was explained that 87% were received, which the 
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Commissioner calculates equates to 2,565,513 direct marketing 


messages being received over the relevant period. 


SportsDirect claimed to rely on the ‘soft opt in’ for seven of the twelve 
complainants, and stated that consent had been obtained from three of 
the twelve complainants directly. In terms of the two remaining 
complainants, SportsDirect claimed that its records did not show any 
messages being sent to one of them; and that the final complainant 
had since requested that their information be removed from its 
systems and so SportsDirect was unable to provide details of the lawful 


basis on which it would have relied to send the message. 


The Commissioner took the view that sufficient evidence of valid 
consent had not been provided and sent an email to SportsDirect on 2 
July 2020 to request this. SportsDirect requested an extension for 
providing this information which the Commissioner granted, although it 
was explained to SportsDirect that in the Commissioner's view such 


evidence should be readily available. 


SportsDirect provided its response on 20 July 2020 with purported 
evidence of consent for three of the twelve complainants, specifically 
stating that those individuals had signed up to a ‘local customer benefit 
scheme’ (the “benefit scheme”) at a store outside of the United 
Kingdom on 8 August 2011, 6 October 2012 and 24 April 2014 
respectively. The purpose of the benefit scheme was to allow 
subscribers to “receive their receipts by email, a regular brochure, 
annual vouchers and other offers and promotions”. This scheme 


ceased to operate in 2018. 


The Commissioner sent further queries to SportsDirect on 14 August 


2020 to establish why subscribers who signed up to the benefit scheme 
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continued to receive messages, and the number of customers who had 


consented to marketing communications in this way. 


SportsDirect explained in response that “/f/ollowing cessation of the 
Scheme, the Scheme data set was reviewed and it was decided that (i) 
there was a legitimate interest in members of the Scheme continuing 
to receive general offers and discounts from the business as an 
alternative to the benefits previously made available under the Scheme 
and (ii) it would be prudent to run a data cleanse. This data cleanse 
removed duplicated data, incorrectly formatted email addresses and 
emails identified as ‘spam traps’. This left a data set of around 779,000 


email contacts. 


This reduced data set then received a small number of emails 
immediately following cessation of the Scheme, starting with a 
welcome-style email introducing the type of emails members would 


receive following cessation of the Scheme, unless they unsubscribed.” 


The Commissioner asked further questions on 4 September 2020. In 
particular the Commissioner wished to know, inter alia, the specific 
date when the benefit scheme ended; the number of emails sent to, 
and received by, subscribers after the cessation of the scheme; and as 
part of the “re-engagement campaign”, how many subscribers were 
sent messages who had initially consented to marketing emails as part 


of a previous campaign. 


In its response, SportsDirect again cited concerns which it had raised 
earlier in the investigation in respect of the challenges it has faced in 
gathering information to respond to some of the Commissioner’s 
queries; i.e. since many of the individuals who were “involved in 
making decisions and administering the databases around the time the 


dataset was cleansed have already long since left the business” [and] 
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“most files and communications created during their employment on 


local drives have long since been deleted in accordance with standard 


retention procedures”. 


SportsDirect therefore sought to provide its “best estimate” of the 
dates in connection with the cessation of the benefit scheme, stating 
that it ceased to operate “in around January 2018”, and that 
throughout January and February 2018 the data cleanse took place, 
leaving “around 779,000 email contacts”. This dataset was then sent a 


|” 


“welcome-style email” although the content of this could not be 


|” 


determined. Those who “engaged” with the “welcome-style emai 


were added to the “main email marketing dataset”. 


In relation to the “re-engagement campaign” (also referred to by 
SportsDirect as the “Christmas 2019 Email Campaign”), SportsDirect 
Stated: “one of the objectives of the Christmas 2019 Email Campaign 
was to cleanse the marketing database. This cleanse began in the week 
commencing 13 January 2020. This means that the business is not able 
to retrieve data deleted at that time and is unable to re-create that 
segmentation to provide [the Commissioner] with specific details 
around how many individuals initially consented to marketing emails as 
part of a previous campaign or scheme. The business used legitimate 
interests as the basis on which to send the Christmas 2019 Email 


Campaign. 


For the reasons described above, it is no longer possible for us to 
retrieve the distribution list used in the Christmas 2019 Email 
Campaign and then separate out individuals who were initially opted in 


through being a member of the Scheme” 
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The Commissioner sent an ‘end of investigation’ email to SportsDirect 
on 21 October 2020, although it was invited to provide any further 
“relevant evidence, or information regarding [its] policies, procedures 
and training programmes”. SportsDirect responded on 2 November 
2020 with a summary of its position, and information in respect of the 
number of individuals who may have received an email as part of the 
“re-engagement campaign”, specifically stating that it: “understand[s/] 
that the volume of emails sent as part of the Christmas 2019 Campaign 
was approximately 2.9 million. [It] cannot quantify the total number of 
data subjects emailed as part of this campaign due to the absence of 
historic communications due to strict data deletion [...]. [...] the data 
subjects would have included individuals who had been members of the 
[Loyalty Scheme operating outside of the UK], but there would also 
have been other recipients”. Whilst SportsDirect were unable to 
confirm the precise number of individuals which it had emailed, its 
confirmation that “approximately 2.9 million” messages were sent 
accorded with the precise figures which it had provided on 12 June 
2020 where it was stated that there had been 2,948,865 direct 
marketing messages sent relating specifically to the “re-engagement 


campaign”, with 87% being received. 


The Commissioner has made the above findings of fact on the 


balance of probabilities. 
The Commissioner has considered whether those facts constitute 
a contravention of regulation 22 of PECR by SportsDirect and, if so, 


whether the conditions of section 55A DPA are satisfied. 


The contravention 
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The Commissioner finds that SportsDirect contravened regulation 22 of 
PECR. 


The Commissioner finds that the contravention was as follows: 


The Commissioner finds that between 21 December 2019 and 16 
February 2020 there were 2,565,513 direct marketing emails received 
by subscribers. The Commissioner finds that SportsDirect transmitted 


those direct marketing messages, contrary to regulation 22 of PECR. 


SportsDirect, as the sender of the direct marketing, is required to 
ensure that it is acting in compliance with the requirements of 
regulation 22 of PECR, and to ensure that valid consent to send those 


messages had been acquired. 


SportsDirect has been unable to provide evidence of consent for the 
messages sent over the period of 21 December 2019 and 16 February 
2020. 


In this instance, in relation to the 2,565,513 direct marketing emails 
stated by SportsDirect on 12 June 2020 to have been received by 
subscribers over the relevant period, SportsDirect has been unable to 
provide evidence of valid consent. Indeed it is stated that it is no 
longer possible for SportsDirect to “retrieve the distribution list used in 
the Christmas 2019 Email Campaign”. In the circumstances the 
Commissioner is not satisfied that SportsDirect can avail itself to the 


soft opt-in exception provided at regulation 22(3) PECR. 


The Commissioner has gone on to consider whether the conditions 


under section 55A DPA are met. 
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Seriousness of the contravention 


The Commissioner is satisfied that the contravention identified 

above was serious. This is because between 21 December 2019 and 16 
February 2020, a total of 2,565,513 direct marketing messages were 
received by subscribers having been sent by SportsDirect. These 
messages, which were sent as part of a “re-engagement campaign”, 
contained direct marketing material for which subscribers had not 
provided valid consent. Furthermore, since SportsDirect is now unable 
to retrieve the distribution list and is therefore unable to evidence 
how/when details were purportedly obtained, the Commissioner is 
satisfied that SportsDirect is unable to rely on the soft opt-in 


exemption. 


The Commissioner is therefore satisfied that condition (a) from 
section 55A(1) DPA is met. 


Deliberate or negligent contraventions 


The Commissioner has considered whether the contravention identified 


above was deliberate. 


The Commissioner does not consider that SportsDirect deliberately set 


out to contravene PECR in this instance. 


The Commissioner has gone on to consider whether the contravention 
identified above was negligent. This consideration comprises two 


elements: 


Firstly, she has considered whether SportsDirect knew or ought 


reasonably to have known that there was a risk that these 
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contraventions would occur. This is not a high bar and she is satisfied 


that this condition is met. 


The Commissioner has published detailed guidance for those carrying 
out direct marketing explaining their legal obligations under PECR. 
This guidance gives clear advice regarding the requirements of consent 
for direct marketing and explains the circumstances under which 
organisations are able to carry out marketing over the phone, by text, 
by email, by post, or by fax. In particular it states that organisations 
can generally only send, or instigate, marketing messages to 
individuals if that person has specifically consented to receiving them. 
The guidance also provides a full explanation of the “soft opt-in” 
exemption and states that organisations “should [...] make sure that 
they keep clear records of exactly what someone has consented to. In 
particular, they should record the date of consent, the method of 
consent, who obtained consent, and exactly what information was 
provided to the person consenting”. SportsDirect has been unable to 
do this. 


The Commissioner has published detailed guidance on consent under 
the GDPR. In case organisations remain unclear on their obligations, 
the ICO operates a telephone helpline. ICO communications about 
previous enforcement action where businesses have not complied with 


PECR are also readily available. 


It is therefore reasonable to suppose that SportsDirect should have 


been aware of its responsibilities in this area. 


Secondly, the Commissioner has gone on to consider whether 
SportsDirect failed to take reasonable steps to prevent the 


contraventions. Again, she is satisfied that this condition is met. 
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The Commissioner takes the view that any person wishing to engage in 
direct marketing by electronic mail could and should - particularly 
since the coming into effect of the GDPR - have ensured that all of 
their consent capture mechanisms properly enabled consent to be 
separately given or withheld for direct marketing communications, and 
that such consent was retained. At the outset of the investigation the 
Commissioner raised concerns with SportsDirect’s privacy policy which 
stated: “You acknowledge that you do not object to us and third parties 
identified below, including our Third Party Advertisers, using your 


personal information for any of the purposes outlined in this privacy 


policy and you confirm that you do not and will not consider any of 
these purposes as a breach of any of your rights under the Privacy and 
Electronic Communications (EC Directive) Regulations 2003” (emphasis 


added). SportsDirect has since amended the wording of its Privacy 


Policy. 


The Commissioner takes the view that SportsDirect could legitimately 
have sought advice either from the Commissioner or from a legal 
advisor in relation to the basis on which it proposed to send its 
unsolicited direct marketing to an aged dataset but failed to do so. 
This is particularly egregious given that the purpose of SportsDirect’s 
“re-engagement campaign” was to contact individuals with whom it 


had not “connected” with for some time. 


In the circumstances, the Commissioner is satisfied that SportsDirect 


failed to take reasonable steps to prevent the contraventions. 


The Commissioner is therefore satisfied that condition (b) from section 
55A (1) DPA is met. 


The Commissioner's decision to issue a monetary penalty 
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The Commissioner has taken into account the following 


aggravating feature of this case: 


The Commissioner is concerned about SportsDirect’s failure to maintain 


satisfactory internal consent records. 


The Commissioner has taken into account the following mitigating 


feature of this case: 


The Commissioner is mindful that SportsDirect has taken a number of 
steps to improve its compliance with data protection legislation, 
specifically it has carried out an exercise to reduce the amount of data 
in its database; it has reconsidered the frequency of emails which will 
be sent to individuals; and will introduce a new cleansing system. It 
is noted that it has also updated its privacy policy in line with the 


Commissioner’s guidance. 


For the reasons explained above, the Commissioner is satisfied that the 
conditions from section 55A (1) DPA have been met in this case. She is 
also satisfied that the procedural rights under section 55B have been 


complied with. 


The latter has included the issuing of a Notice of Intent, in which the 
Commissioner set out her preliminary thinking. In reaching her final 
view, the Commissioner has taken into account the representations 


made by SportsDirect on this matter. 


The Commissioner is accordingly entitled to issue a monetary penalty 


in this case. 
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The Commissioner has considered whether, in the circumstances, she 


should exercise her discretion so as to issue a monetary penalty. 


The Commissioner has considered the likely impact of a monetary 
penalty on SportsDirect. She has decided on the information that is 
available to her, that SportsDirect has access to sufficient financial 
resources to pay the proposed monetary penalty without causing 


undue financial hardship. 


The Commissioner's underlying objective in imposing a monetary 
penalty notice is to promote compliance with PECR. The sending of 
unsolicited direct marketing messages is a matter of significant public 
concern. A monetary penalty in this case should act as a general 
encouragement towards compliance with the law, or at least as a 
deterrent against non-compliance, on the part of all persons running 
businesses currently engaging in these practices. The issuing of a 
monetary penalty will reinforce the need for businesses to ensure that 
they are only messaging those who specifically consent to receive 


direct marketing. 


For these reasons, the Commissioner has decided to issue a monetary 


penalty in this case. 


The amount of the penalty 


Taking into account all of the above, the Commissioner has decided 
that a penalty in the sum of £70,000 (seventy thousand pounds) is 
reasonable and proportionate given the particular facts of the case and 


the underlying objective in imposing the penalty. 


Conclusion 
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The monetary penalty must be paid to the Commissioner’s office by 
BACS transfer or cheque by 14 October 2021 at the latest. The 
monetary penalty is not kept by the Commissioner but will be paid into 


the Consolidated Fund which is the Government’s general bank account 
at the Bank of England. 


If the Commissioner receives full payment of the monetary penalty by 
13 October 2021 the Commissioner will reduce the monetary penalty 
by 20% to £56,000 (fifty-six thousand pounds). However, you 

Should be aware that the early payment discount is not available if you 


decide to exercise your right of appeal. 


There is a right of appeal to the First-tier Tribunal (Information Rights) 


against: 


(a) the imposition of the monetary penalty 
and/or; 
(b) the amount of the penalty specified in the monetary penalty 


notice. 


Any notice of appeal should be received by the Tribunal within 28 days 


of the date of this monetary penalty notice. 
Information about appeals is set out in Annex 1. 


The Commissioner will not take action to enforce a monetary penalty 


unless: 


e the period specified within the notice within which a monetary 
penalty must be paid has expired and all or any of the monetary 


penalty has not been paid; 
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e all relevant appeals against the monetary penalty notice and any 


variation of it have either been decided or withdrawn; and 


e the period for appealing against the monetary penalty and any 


variation of it has expired. 


73. In England, Wales and Northern Ireland, the monetary penalty is 
recoverable by Order of the County Court or the High Court. In 
Scotland, the monetary penalty can be enforced in the same manner as 
an extract registered decree arbitral bearing a warrant for execution 


issued by the sheriff court of any sheriffdom in Scotland. 


Dated the 13" day of September 2021 


Andy Curry 

Head of Investigations 
Information Commissioner's Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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ANNEX 1 
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 


1. Section 55B(5) of the Data Protection Act 1998 gives any person 
upon whom a monetary penalty notice has been served a right of 
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) 


against the notice. 
2. If you decide to appeal and if the Tribunal considers: - 


a) that the notice against which the appeal is brought is not in 


accordance with the law; or 


b) to the extent that the notice involved an exercise of 
discretion by the Commissioner, that she ought to have exercised 


her discretion differently, 


the Tribunal will allow the appeal or substitute such other decision as 
could have been made by the Commissioner. In any other case the 


Tribunal will dismiss the appeal. 


3. You may bring an appeal by serving a notice of appeal on the 


Tribunal at the following address: 


General Regulatory Chamber 
HM Courts & Tribunals Service 
PO Box 9300 

Leicester 

LE1 8DJ 
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Telephone: 0203 936 8963 
Email: grc@justice.gov.uk 


a) The notice of appeal should be sent so it is received by the 


Tribunal within 28 days of the date of the notice. 

b) If your notice of appeal is late the Tribunal will not admit it 
unless the Tribunal has extended the time for complying with this 
rule. 


The notice of appeal should state: - 


a) your name and address/name and address of your 


representative (if any); 


b) an address where documents may be sent or delivered to 


you, 

C) the name and address of the Information Commissioner; 
d) details of the decision to which the proceedings relate; 
e) the result that you are seeking; 

f) the grounds on which you rely; 


g) you must provide with the notice of appeal a copy of the 


monetary penalty notice or variation notice; 


h) if you have exceeded the time limit mentioned above the 


notice of appeal must include a request for an extension of time 
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and the reason why the notice of appeal was not provided in 


time. 


5. Before deciding whether or not to appeal you may wish to consult 
your solicitor or another adviser. At the hearing of an appeal a party 
may conduct his case himself or may be represented by any person 


whom he may appoint for that purpose. 


6. The statutory provisions concerning appeals to the First-tier 
Tribunal (Information Rights) are contained in section 55B(5) of, and 
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure 
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009 
(Statutory Instrument 2009 No. 1976 (L.20)). 
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